package se.swedenconnect.opensaml.xmlsec.signature.support.provider;

import java.security.InvalidKeyException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.apache.xml.security.Init;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.bouncycastle.util.encoders.Base64;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.algorithm.AlgorithmDescriptor;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.algorithm.SignatureAlgorithm;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.impl.SignatureImpl;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.NodeList;
import se.swedenconnect.opensaml.xmlsec.algorithm.ExtendedAlgorithmSupport;
import se.swedenconnect.opensaml.xmlsec.signature.support.provider.padding.SCPSSPadding;

/* loaded from: input_file:se/swedenconnect/opensaml/xmlsec/signature/support/provider/ExtendedSignerProvider.class */
public class ExtendedSignerProvider extends ApacheSantuarioSignerProviderImpl {
    private static final Logger log = LoggerFactory.getLogger(ExtendedSignerProvider.class);
    private boolean disabled;

    public ExtendedSignerProvider() {
        this.disabled = false;
        this.disabled = Boolean.parseBoolean(System.getProperty("se.swedenconnect.opensaml.xmlsec.signature.support.provider.ExtendedSignerProvider.disabled", "false"));
        if (this.disabled) {
            log.info("The ExtendedSignerProvider has been disabled - {} will be active", ApacheSantuarioSignerProviderImpl.class.getName());
        }
    }

    public void signObject(Signature signature) throws SignatureException {
        if (this.disabled) {
            super.signObject(signature);
            return;
        }
        Constraint.isNotNull(signature, "Signature cannot be null");
        Constraint.isTrue(Init.isInitialized(), "Apache XML security library is not initialized");
        XMLSignature xMLSignature = ((SignatureImpl) signature).getXMLSignature();
        Credential signingCredential = signature.getSigningCredential();
        Key extractSigningKey = CredentialSupport.extractSigningKey(signingCredential);
        if (!shouldOverride(extractSigningKey, xMLSignature)) {
            super.signObject(signature);
            return;
        }
        SignedInfo signedInfo = xMLSignature.getSignedInfo();
        if (signedInfo == null) {
            log.error("Bad XMLSignature - missing SignedInfo");
            throw new SignatureException("Bad XMLSignature - missing SignedInfo");
        }
        log.debug("{} executing during signature with {}", ExtendedSignerProvider.class.getSimpleName(), signedInfo.getSignatureMethodURI());
        try {
            signedInfo.generateDigestValues();
            byte[] canonicalizedOctetStream = signedInfo.getCanonicalizedOctetStream();
            RSAPublicKey rSAPublicKey = (RSAPublicKey) signingCredential.getPublicKey();
            if (rSAPublicKey == null) {
                log.error("No RSA public key found in signing credential");
                throw new SignatureException("No RSA public key found in signing credential");
            }
            byte[] paddingFromMessage = new SCPSSPadding(getDigest(signedInfo.getSignatureMethodURI()), rSAPublicKey.getModulus().bitLength()).getPaddingFromMessage(canonicalizedOctetStream);
            Cipher cipher = Cipher.getInstance("RSA/ECB/NoPadding");
            cipher.init(2, extractSigningKey);
            byte[] doFinal = cipher.doFinal(paddingFromMessage);
            NodeList elementsByTagNameNS = xMLSignature.getElement().getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "SignatureValue");
            if (elementsByTagNameNS.getLength() == 0) {
                throw new SignatureException("Invalid XMLSignature - missing SignatureValue element");
            }
            elementsByTagNameNS.item(0).setTextContent(Base64.toBase64String(doFinal));
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            log.error("RSA transform failed - {}", e.getMessage(), e);
            throw new SignatureException("RSA signature failure", e);
        } catch (XMLSecurityException e2) {
            log.error("Failure during digest calculation - {}", e2.getMessage(), e2);
            throw new SignatureException("Failure during digest calculation", e2);
        }
    }

    private boolean shouldOverride(Key key, XMLSignature xMLSignature) {
        if (key != null && !"RSA".equals(key.getAlgorithm())) {
            return false;
        }
        if (isTestMode()) {
            return true;
        }
        return key != null && "RSA".equals(key.getAlgorithm()) && "sun.security.pkcs11.P11Key$P11PrivateKey".equals(key.getClass().getName()) && ExtendedAlgorithmSupport.isRSAPSS((xMLSignature == null || xMLSignature.getSignedInfo() == null) ? null : xMLSignature.getSignedInfo().getSignatureMethodURI());
    }

    private MessageDigest getDigest(String str) throws NoSuchAlgorithmException {
        AlgorithmDescriptor algorithmDescriptor = AlgorithmSupport.getGlobalAlgorithmRegistry().get(str);
        if (algorithmDescriptor == null || !AlgorithmDescriptor.AlgorithmType.Signature.equals(algorithmDescriptor.getType())) {
            log.error("Unsupported signature algorithm - {}", str);
            throw new NoSuchAlgorithmException("Unsupported signature algorithm - " + str);
        }
        String digest = ((SignatureAlgorithm) SignatureAlgorithm.class.cast(algorithmDescriptor)).getDigest();
        log.debug("Getting digest algorithm for '{}'", digest);
        return MessageDigest.getInstance(digest);
    }

    private boolean isTestMode() {
        return Boolean.parseBoolean(System.getProperty("se.swedenconnect.opensaml.xmlsec.signature.support.provider.ExtendedSignerProvider.testmode", "false"));
    }
}
